Introduction
This privacy notice applies to the processing activities performed by Thr3e Pte Ltd ("Thr3e") for the personal data of its clients, prospective clients, and website visitors. Your privacy is of the utmost importance to us. It is our policy to safeguard the confidentiality of information and respect the privacy of individuals. Please see below for information about how we manage personal data, and for information about your rights with respect to the processing of your personal data.
Definitions
The following terms are defined as follows:
- AML means anti-money laundering.
- Digital Asset means any digital representation of value that may be relevant to Thr3e's services, excluding non-fungible tokens.
- Thr3e, We, Us, refers collectively to Thr3e Pte Ltd and its subsidiaries.
- Personal data refers to any information relating to an identified or identifiable natural person, including names, identification numbers, location data, an online identifier, or to one or more factors specific to the physical, economic, cultural, or social identity of a natural person.
- VASP Services means exchange between digital assets and fiat currencies; exchange between one or more forms of digital assets; transfer of digital assets, that is to say, conduct a transaction on behalf of another person that moves a digital asset from one digital asset address or account to another; and act as a custodian wallet provider.
Your Data Controller
Our products and services are provided through local operating entities that are part of the Thr3e group of companies. You are contracting with Thr3e Pte Ltd as specified in Section 18 Full Details of Data Controllers.
How do we protect personal data?
Thr3e takes the security of personal data incredibly seriously. Please see here for further detail about our information security practices, and here for general security information.
Information we may collect about you
We obtain information about you in a number of ways through your use of our products and services, including through any of our websites, the account opening process, webinar sign-up forms, event subscribing, news and updates subscribing, and from information provided in the course of ongoing support service communications. In order to avail our services, you may be required to disclose personal data to enable Thr3e to assess your application and comply with relevant laws and regulations.
The information that we collect from you is as follows:
- Full name, residential address and contact details (e.g. email address, telephone number, etc.), date of birth, place of birth, gender, citizenship (“Biographical information and contact information”).
- Bank account information, wallet addresses, details about your source of funds, assets and liabilities, and information relating to economic and trade sanctions lists (“Financial information”).
- Trading account balances, trading activity, your inquiries and our responses (“Trading information”).
- Information on whether you (or someone close to you) holds a prominent public function (“PEP information”).
- Verification information, which includes information necessary to verify your identity such as a passport, driver’s license, selfie photos/videos, login credentials or Government-issued identity card (“Verification information”).
- Other personal data or commercial and/or identification information – Information we, in our sole discretion, deem necessary to comply with our legal obligations under various AML obligations, such as under the European Union’s 5th AML Directive and relevant laws (“Other information”).
Information we collect about you automatically:
- Browser information – Information that is automatically collected via analytics systems providers from your browser, including your IP address and/or domain name and any external page that referred you to us, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform (“Browser information”).
- Log information – Information that is generated by your use of Thr3e-branded websites, applications, services, or tools operated by Thr3e that is automatically collected and stored in our server logs. This may include, but is not limited to, device-specific information, location information, system activity and any internal and external information related to pages that you visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Website or App (including date and time, page response times, download errors, length of visits to certain pages, page interaction information such as scrolling, clicks, and mouse-overs, and methods used to browse away from the page (“Log information”).
The provision of personal data is necessary for entering into the contract governing your use of our products and services. The minimum information required to be provided is biographical information and contact information, verification information, and financial information. Without this information, we cannot commence, or continue to perform our services or provide our products to you.
It is a statutory requirement to provide certain information to comply with our legal obligations in respect of anti-money laundering and crime and fraud prevention. At a minimum, this includes biographical information and contact information, financial information, and verification information. Without this information, we cannot meet our legal obligations under anti-money laundering and crime and fraud prevention laws.
Information we receive about you from other sources.
We also receive information about you from third parties such as your payment providers and through publicly available sources. For example:
- The banks you use to transfer money to us will provide us with your basic personal data, such as your name and address, as well as your financial information such as your bank account details;
- Your business partners may provide us with your name and address, as well as financial information;
- Advertising networks, analytics providers, and search information providers may provide us with anonymized or de-identified information about you, such as confirming how you found our website.
- Credit reference agencies may provide us with your personal data during the credit referencing process.
Our legal justification for processing personal data
| Why we process your personal data | Legal justification | Categories of personal data |
|---|---|---|
| To provide our products and services, including payment processing and to enable the completion of the client on-boarding process | Performance of a contract | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, and other information. |
| To conduct or arrange for the conducting of credit or identity checks | Legal obligation to comply with “Know your customer” and customer due diligence regulatory obligations. Such processing is also in our legitimate interest to prevent potential crime and/or fraud and to protect our business. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, and other information. |
| For the purposes of identity verification, compliance with court orders, tax laws or other reporting obligations and anti-money laundering controls. | Legal obligation to comply with anti-money laundering laws, financial services laws, corporation laws, privacy laws, tax laws and other relevant laws. Supervisory authorities’ rules and regulations also apply to us. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, and other information. |
| To administer our products and services, to provide you with information in respect of our products and services and review your ongoing needs, to troubleshoot our products and services, to improve our products and services and to develop new products and services. | In order to ensure effective provision of our products and services and to meet our clients’ needs it is in our legitimate interest to administer our products and services, to provide you with information about our products or services, to troubleshoot our products and services and to review our clients’ ongoing needs. It is also in our legitimate interest to improve our products and services, including support services and to develop and market new products and services. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information. |
| To pay affiliates (our partners that promote Thr3e and drive new business leads) | It is in our legitimate interest to use affiliates to engage new business leads, and pay those affiliates if the leads generate revenue. | De-identified trading information |
| To market our products and services | Consent | Biographical information and contact information, trading information, other information, browser information and log information |
| To conduct surveys | It is in our legitimate interest to send you surveys and conduct such surveys in order to gather information on how our products and services are working for our clients and how to improve our products and services. | Biographical information and contact information, trading information, other information, browser information and log information |
| To conduct data analysis. Our website pages and emails may contain web beacons or pixel tags or any other similar types of data analysis tools that allow us to track receipt of correspondence and count the number of users that have visited our webpage or opened our correspondence. We may aggregate your personal data with the personal data of our other clients on an de-identified basis (that is, with your personal identifiers removed), so that more rigorous statistical analysis of general patterns may lead us to providing better products and services. | If your personal data is completely anonymized, we do not require a legal basis as the information will no longer constitute personal data. If your personal data is not in an anonymized form, it is in our legitimate interest to continually evaluate that personal data to ensure that the products and services we provide are relevant to the market and our clients. | Biographical information and contact information, financial information, trading information, other information, browser information and log information |
| For internal business purposes and recordkeeping | We have legal obligations to keep certain records. Such processing is in our legitimate interest for internal business and research purposes as well as for record-keeping purposes. It is also in our legitimate interest to keep records to ensure that you comply with your contractual obligations pursuant to the agreement (“Terms of Service”) governing our relationship with you. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
| To enforce and defend our rights including initiating legal claims, preparing our defense in litigation procedures, addressing legal or administrative proceedings whether before a court or a statutory body and to investigate or settle issues, inquiries, and/or disputes. | It is in our legitimate interest to enforce and defend our rights and to ensure that issues, inquiries, and/or disputes are investigated and resolved in a timely and efficient manner. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
| To comply with applicable laws, subpoenas, court orders, other judicial process, or the requirements of any applicable regulatory authorities | Legal obligation. We will disclose personal data where we receive a legally binding request to disclose personal data from law enforcement or other bodies or where we have a legitimate interest in assisting law enforcement or other agencies in respect of an investigation. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
| To notify you of changes to our products or services and/or to laws and regulatory rules and regulations | Legal obligation. Often the law requires us to advise you of certain changes to products or services or laws. We may need to inform you of changes to the terms or the features of our products or services. We need to process your personal data to send you these legal notifications. You will continue to receive this information from us even if you choose not to receive direct marketing information from us. Where such notification is not legally required, it may be in our legitimate interest to notify you of such changes. | Biographical information and contact information, financial information, trading information, PEP information (where relevant) and other information |
| To administer our business effectively such as through means and processes we undertake to provide for our IT and system security, preventing potential crime and to ensure asset security and access controls. | It is in our legitimate interest to protect our assets and systems and to prevent potential crime and/or fraud and to ensure security. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
| To update and verify your personal data in accordance with relevant anti-money laundering compliance frameworks. | Legal obligation. Such processing is also in our legitimate interests to prevent potential crime and/or fraud and to protect our business. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
| To better customize our services and content for you and to recognize you as a client. | When we collect personal data for these purposes through the use of cookies, we will rely on your consent. It is also in our legitimate interest to customize our services and content for clients and to recognize clients, in order to ensure that clients receive the services and content that are appropriate to them. | Other information, browser information and log information |
| To communicate with you | It is in our legitimate interest to communicate with our clients or potential clients to ensure the effective delivery of our products and services and to administer our business. | Biographical information and contact information, financial information, trading information, and other information |
| To receive services from third parties including services such as administrative, legal, tax, compliance, insurance, IT, debt-recovery, analytics, credit reference, identity verification, research, or other services | It is generally in our legitimate interest to receive such services from third parties to ensure the effective delivery of our products and services and to administer and protect our business. | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
| For any purpose not specified above, but for which you direct us to process your personal data | Consent | Biographical information and contact information, financial information, trading information, PEP information (where relevant), verification information, other information, browser information and log information |
Disclosure of Your Personal Data
As part of processing your personal data for the purposes set out above, Thr3e may disclose your personal data to any members of the Thr3e company group and to third parties. For example, Thr3e may disclose your personal data to any of our service providers and business partners for business or other legitimate purposes, such as specialist advisors who have been contracted to provide us with administrative, financial, legal, tax, compliance, insurance, IT, debt-recovery, analytics, research, or other services.
If Thr3e discloses your personal data to service providers and business partners to perform the services requested by clients or to comply with our legal and regulatory obligations, such providers and partners may store your personal data within their own systems. We require them to protect the confidentiality of this personal data and comply with all relevant privacy and data protection laws.
Where We Store Your Personal Data
Our operations are supported by a network of computers, servers, other infrastructure, and information technology, and third-party service providers. We and our third-party service providers and business partners store and process your personal data in the European Union, Japan, the United Kingdom, the United States of America, and elsewhere in the world. Courts, law enforcement, and security agencies of these jurisdictions may be able to use legal processes to access your personal data.
For UK & EEA Clients: Transfers of Personal Data Outside of the European Economic Area (EEA) and the United Kingdom (UK)
We may transfer your personal data outside the EEA and UK to other Thr3e group companies, service providers, and business partners. Transfers outside the EEA or the UK (as appropriate) shall be in accordance with lawful transfer mechanisms. If personal data is transferred to a country which has been found by the European Commission to have an essentially equivalent standard of data protection to the EEA, then Thr3e may rely on an ‘adequacy decision’ to transfer that personal data. See here for a list of countries with adequacy decisions. If personal data is transferred from the EEA or UK to the US, we may rely on standard contractual clauses.
Privacy When Using Digital Assets and Blockchains
Your use of digital assets may be recorded on a public blockchain. Public blockchains are distributed ledgers, intended to immutably record transactions across wide networks of computer systems. Many blockchains are open to forensic analysis, which can lead to re-identification of transacting individuals and the revelation of personal data, especially when blockchain data is combined with other data.
As blockchains are decentralized or third-party networks not controlled or operated by Thr3e, we are not able to erase, modify, or alter personal data on such networks.
Data Retention
When personal data is no longer necessary for the purposes for which it may lawfully be processed, we will remove any details that will identify you, or we will securely destroy the relevant records. We may need to maintain records for a significant period after you cease being our client for legal or regulatory reasons, for example when we need to retain information to help manage a dispute or legal claim. Additionally, we are subject to certain anti-money laundering laws that may require us to retain the following for a period (e.g., 5 years) after our business relationship with you has ended:
- A copy of the records we used to comply with our client due diligence obligations;
- Supporting evidence and records of transactions with you and your relationship with us.
If you have opted out of receiving marketing communications, we will hold your details on our suppression list so that we know you do not want to receive these communications.
We may keep your personal data for longer than 5 years if we cannot delete it for legal, regulatory, or technical reasons.
Your Rights Regarding Your Personal Data
The rights that are available to you in relation to the personal data we process are outlined below. You may request to exercise these rights subject to any limitations provided for under applicable data protection laws.
Access
You can ask us to confirm whether we are processing your personal data and, if so, what information we process and to provide you with a copy of that information.
Rectification
It is important to us that your personal data is up to date. We will take all reasonable steps to make sure that your personal data remains accurate, complete, and up-to-date. Please inform us if your personal data changes. If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have disclosed your personal data to others, we will let them know about the rectification where possible. If you ask us, and if possible and lawful to do so, we will also inform you with whom we have shared your personal data.
Erasure
You can ask us to delete or remove your personal data in certain circumstances. Such requests may be subject to any retention limits we are required to comply with in accordance with applicable laws and regulations. If we have disclosed your personal data to others, we will let them know about the erasure request where possible. If you ask us, and if possible and lawful to do so, we will also inform you with whom we have shared your personal data.
Processing Restrictions
You can ask us to block or suppress the processing of your personal data in certain circumstances, such as if you contest the accuracy of that personal data or object to us processing it. It will not stop us from storing your personal data. If we have disclosed your personal data to others, we will let them know about the restriction of processing if possible. If you ask us, and if possible and lawful to do so, we will also inform you with whom we have shared your personal data.
Data Portability
In certain circumstances, you may have the right to obtain personal data you have provided to us in a structured, commonly used, and machine-readable format, and to reuse it elsewhere, or ask us to transfer this to a third party of your choice.
Right to Object
You may have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time. If we have disclosed your personal data to others, we will let them know about the objection to the processing if possible. If you ask us, and if possible and lawful to do so, we will also inform you with whom we have shared your personal data.
Marketing Communications
You can change your mind about receiving marketing communications from us at any time. The easiest way to stop receiving marketing communications from us is to click on the “unsubscribe” link in any email or communication that we send you. You can also contact us using the details provided in Section 17 "Contact Information" to update your contact preferences.
Security
Thr3e has implemented reasonable and appropriate technical and organizational security measures to protect personal data in our custody or control from unauthorized access, disclosure, loss, misuse, and alteration. These security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls. While we endeavor to protect our systems, sites, operations, and information against unauthorized access, use, or disclosure, no security measures can guarantee 100% security. You are responsible for maintaining the security of any password, user ID, or other form of authentication involved in obtaining access to password-protected or secure areas of Thr3e websites. Access to and use of password-protected and/or secure areas of Thr3e websites are restricted to authorized users only.
Breach Notification
If there is a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will explain what happened and what we are doing to address the breach and protect your rights. We will use the contact details you provided to us. If you have not provided us with contact details, we may try to notify you in another appropriate way.
Changes to this Privacy Notice
Thr3e may change this Privacy Notice from time to time. If we make any changes, we will post the updated version on our website(s) and update the effective date at the top of this Privacy Notice. We will use commercially reasonable efforts to notify you of any significant changes to this Privacy Notice that would adversely affect your rights.
Contact Information
If you have any questions about this Privacy Notice or want to exercise your rights as described in this Privacy Notice, please contact our Data Protection Officer at dpo@thr3e.io or by mail at:
Data Protection OfficerThr3e Pte Ltd
One Raffles Place Tower 1
Singapore 048616
To report a security incident, please contact us at security@thr3e.io